arm - role for enterprise application

Rotem ben hemo 6 Reputation points
2021-08-31T08:20:02.667+00:00

hello,

I created an Enterprise application in the Azure Active Directory. I gave it manually Reader role under my subscription -> access control (Iam).

I am searching for a way to add more roles to the app using azure ARM (for automation).

in my search I found this:
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[guid(some string)]",
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'roleId')]",
"principalId": "objectId"
}
}
]

when I give the "objectId" as a parameter (which I took manually from the portal) it works. and I see the new role under the subscription access control.

is there a way to get this objectId by some function of ARM? without getting the id as a parameter?

I read that I can use the function "[reference(resourceId()).principalId]" but I don't know which values I need to insert for my Enterprise application. I have app (client id), tenant id, subscription id, client secret. which provider do I need to give? ResourceType? I did not find any record about it.. does this function can be use for an Enterprise application?

I also tried to take the objectId using CLI comment: $(az ad sp show --id appId --query 'objectId'), and try to use it in the ARM with deploymentScripts - I created userAssignedIdentities for it and gave it contributor role but I am getting an error: Insufficient privileges to complete the operation...

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,897 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Saurabh Sharma 23,826 Reputation points Microsoft Employee
    2021-08-31T23:29:54.297+00:00

    Hi @Rotem ben hemo ,

    Thanks for using Microsoft Q&A !!
    It is unfortunately not possible to get service principal Id directly in ARM template. If the service principal is of a managed identity supported service then you can use Identity.principalId to refer to the same. So, if managed identity is of a VM then you can use something like below -
    "[reference(resourceId('Microsoft.Compute/virtualMachines', variables('vmName')),'2019-12-01', 'Full').identity.principalId]"
    Please refer to the documentation over here.

    Also, you can directly refer User Assigned Managed Identities in your ARM template by using resource type as 'Microsoft.ManagedIdentity/userAssignedIdentities' and explicitly mentioning principalType as "ServicePrincipal". Please refer to the documentation for details. Please let me know if you see any issues with this.

    Thanks
    Saurabh


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.